Trust is a rare commodity in the world of cyberscams which we are seeing across the world, including here in India. It has been reported that an organization in India is being attacked on average 1789 times per week in the last 6 months, compared to 1643 attacks per organization in APAC. Unfortunately, 89% of the malicious files in India were delivered via Email in the last 30 days.
When looking at the behavior of scammers or hackers, they have the same modus operandi. The hacker has two tasks: Get into the inbox. And get the user to hand over the desired information.
Hackers spend tons of time thinking of creative ways to do both. The attack has to be crafted to not only fool security services, but also end-users. Fool the machine, fool the person and you’re golden!
We see tons of interesting ways of doing this. In this attack brief, I’ll explore one of the most unique and creative ways of getting users to hand over their information. How do they do it? By dynamically mirroring an organization’s login page. I’ll share how threat actors are creating mirror images of an organization’s landing page to fool users into handing over their credentials.
Attack
In this attack, hackers are able to mirror an organization’s traditional login page to get users to type in their credentials
- Vector: Email
- Type: Credential Harvesting
- Techniques: Impersonation
- Target: Any end-user
In this attack, threat actors are dynamically mirroring an organization’s login page to convince users to hand over credentials.
Email Example #1
The user is presented with a typical-looking password expiration reminder email. The link, as you see, does not go to a Google or company URL.
From there, the user is asked to fill out a reCAPTCHA form, adding a veneer of legitimacy.
Here’s where it gets interesting. Though the URL is completely unrelated to the company website, the page looks exactly like the real deal. In fact, it’s a bit-for-bit mirror of the actual company site. The end-user will have their email address pre-populated and see their traditional login page and background, making it incredibly convincing.
Techniques
Avanan have written extensively about a group called SPAM-EGY.and also published an informative webinar. Basically, they are a “Phishing as a Service” subscription group that guarantees:
- The ability to reach the inbox using ever-changing obfuscation methods,
- Re-direction to a phishing page that appears to be the second page of the Microsoft 365 login with a pre-populated email address.
- Dynamically-rendered landing page that changes the logo and background to match the domain of the email address.
- The landing page will either request the email twice as validation or, optionally, attempt to use the credentials in real-time in order to verify the password.
- If the password is good, the user will be directed to a real document or to the Office.com home page.
- Once the user has entered their credentials, a cookie in the browser will render the phishing page ‘unreachable’, frustrating any further analysis.
This attack follows all those trademarks. However, what’s different is that it targets Google domains. This represents an evolution of this type of attack.
It is incredibly clever since it matches the login page that the end-user is accustomed to seeing. It adds a Google reCAPTCHA form to boost legitimacy.
A clever end-user will see that the URLs don’t match. However, everything else does. In the arms race to fool users, this is one of the more effective campaigns we’ve seen.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Always hover over any link to see the destination URL before clicking on it
- Encourage end-users to ask IT if the email is legitimate or not
- Implement multi-tiered security that looks at a number of different indicators to determine if an email is malicious
Hackers will always be on the look out for unsuspecting online users – paying attention to the sites you are using and being wary of emails from unknown or unexpected sources will go a long way between calm and harm.
